Security Incidents mailing list archives
Re: NT Compromise -- UPDATE (UDP Flood SRC=53)
From: "Mike Lewinski" <mike () rockynet com>
Date: Mon, 24 Dec 2001 14:39:27 -0700
I NEED to figure out what this traffic is as it is what originally gave us
the
impression it was compromised. SOURCE PORT of 53? The only thing I can google on this is a bit of references to Stacheldraht.
BIND has a directive that allows the source port of all queries (i.e. recursive lookups) to be specified. It's fairly common to set it to 53. This makes for cleaner firewall setup. It doesn't sound like that's what you're seeing now. However, if it is a DoS tool, it may be assuming that every firewall is going to all UDP 53 through and that's why. Mike ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- NT Compromise -- UPDATE (UDP Flood SRC=53) Loki (Dec 24)
- Re: NT Compromise -- UPDATE (UDP Flood SRC=53) Mike Lewinski (Dec 25)